~mdw / exim-config / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
base.m4: More subtle handling of HELO greetings.
[exim-config] / base.m4
1 ### -*-m4-*-
2 ###
3 ### Basic settings for distorted.org.uk Exim configuration
4 ###
5 ### (c) 2012 Mark Wooding
6 ###
7
8 ###----- Licensing notice ---------------------------------------------------
9 ###
10 ### This program is free software; you can redistribute it and/or modify
11 ### it under the terms of the GNU General Public License as published by
12 ### the Free Software Foundation; either version 2 of the License, or
13 ### (at your option) any later version.
14 ###
15 ### This program is distributed in the hope that it will be useful,
16 ### but WITHOUT ANY WARRANTY; without even the implied warranty of
17 ### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 ### GNU General Public License for more details.
19 ###
20 ### You should have received a copy of the GNU General Public License
21 ### along with this program; if not, write to the Free Software Foundation,
22 ### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
23
24 ###--------------------------------------------------------------------------
25 ### Global settings.
26
27 SECTION(global, priv)m4_dnl
28 admin_groups = CONF_admin_groups
29 prod_requires_admin = false
30
31 SECTION(global, logging)m4_dnl
32 log_file_path = : syslog
33 log_selector = \
34 +smtp_confirmation \
35 +tls_peerdn
36 log_timezone = true
37 syslog_duplication = false
38 syslog_timestamp = false
39
40 SECTION(global, daemon)m4_dnl
41 local_interfaces = <; CONF_interfaces
42 extra_local_interfaces = <; 0.0.0.0 ; ::
43
44 SECTION(global, resource)m4_dnl
45 deliver_queue_load_max = 8
46 queue_only_load = 12
47 smtp_accept_max = 16
48 smtp_accept_queue = 32
49 smtp_accept_reserve = 4
50 smtp_load_reserve = 10
51 smtp_reserve_hosts = +trusted
52
53 SECTION(global, policy)m4_dnl
54 host_lookup = *
55
56 SECTION(global, users)m4_dnl
57 gecos_name = $1
58 gecos_pattern = ([^,:]*)
59
60 SECTION(global, incoming)m4_dnl
61 received_header_text = Received: \
62 ${if def:sender_rcvhost {from $sender_rcvhost\n\t} \
63 {${if def:sender_ident \
64 {from ${quote_local_part:$sender_ident} }}\
65 ${if def:sender_helo_name \
66 {(helo=$sender_helo_name)\n\t}}}}\
67 by $primary_hostname \
68 (Exim $version_number)\
69 ${if def:tls_cipher {\n\t} { }}\
70 ${if def:received_protocol \
71 {with $received_protocol \
72 ${if def:tls_cipher {(cipher=$tls_cipher)}}}}\n\t\
73 ${if def:sender_address \
74 {(envelope-from <$sender_address>\
75 ${if def:authenticated_id \
76 {; auth=$authenticated_id}})\n\t}}\
77 id $message_exim_id\
78 ${if def:received_for {\n\tfor $received_for}}
79
80 SECTION(global, smtp)m4_dnl
81 smtp_return_error_details = true
82 accept_8bitmime = true
83
84 SECTION(global, process)m4_dnl
85 extract_addresses_remove_arguments = false
86 headers_charset = utf-8
87 qualify_domain = CONF_master_domain
88
89 SECTION(global, bounce)m4_dnl
90 delay_warning = 1h : 24h : 2d
91
92 DIVERT(null)
93 ###--------------------------------------------------------------------------
94 ### Access control lists.
95
96 SECTION(global, acl-after)
97 SECTION(global, acl)m4_dnl
98 acl_smtp_helo = helo
99 SECTION(acl, misc)m4_dnl
100 helo:
101 ## Check that the caller's claimed identity is actually plausible.
102 ## This seems like it's a fairly effective filter on spamminess, but
103 ## it's too blunt a tool. Rather than reject, add a warning header.
104 ## Only we can't do this the easy way, so save it up for use in MAIL.
105 ## Also, we're liable to get a subsequent HELO (e.g., after STARTTLS)
106 ## and we should only care about the most recent one.
107 warn set acl_c_helo_warning = false
108 !condition = \
109 ${if exists {CONF_sysconf_dir/helo.conf} \
110 {${lookup {$sender_helo_name} \
111 partial0-lsearch \
112 {CONF_sysconf_dir/helo.conf} \
113 {${if match_ip \
114 {$sender_host_address} \
115 {$value}}}}}}
116 !verify = helo
117 set acl_c_helo_warning = true
118
119 accept
120
121 SECTION(global, acl)m4_dnl
122 acl_smtp_mail = mail
123 SECTION(acl, mail)m4_dnl
124 mail:
125
126 ## If we stashed a warning header about HELO from earlier, we should
127 ## add it now.
128 warn condition = $acl_c_helo_warning
129 add_header = :after_received:X-Distorted-Warning: \
130 BADHELO \
131 Client's HELO doesn't match its IP address.\n\t\
132 HELO name = $sender_helo_name, \
133 address = $sender_host_address
134
135 ## Always allow the empty sender, so that we can receive bounces.
136 accept senders = :
137
138 ## Ensure that the sender is routable. This is important to prevent
139 ## undeliverable bounces.
140 require message = Invalid sender; \
141 ($sender_verify_failure; $acl_verify_message)
142 verify = sender
143
144 ## If this is directly from a client then hack on it for a while.
145 warn condition = ${if eq{$acl_c_mode}{submission}}
146 control = submission
147
148 SECTION(acl, mail-tail)m4_dnl
149 ## And we're done.
150 accept
151
152 SECTION(global, acl)m4_dnl
153 acl_smtp_connect = connect
154 SECTION(acl, connect)m4_dnl
155 connect:
156 SECTION(acl, connect-tail)m4_dnl
157 ## Configure variables according to the submission mode.
158 warn acl = check_submission
159
160 ## Done.
161 accept
162
163 check_submission:
164 ## See whether this message needs hacking on.
165 accept !hosts = +localnet
166 !condition = ${if ={$received_port}{CONF_submission_port}}
167 set acl_c_mode = relay
168
169 ## Remember to apply submission controls.
170 warn set acl_c_mode = submission
171
172 ## Done.
173 accept
174
175 SECTION(global, acl)m4_dnl
176 acl_smtp_rcpt = rcpt
177 SECTION(acl, rcpt)m4_dnl
178 rcpt:
179
180 ## Reject if the client isn't allowed to relay and the recipient
181 ## isn't in one of our known domains.
182 deny message = Relaying not permitted
183 !hosts = CONF_relay_clients
184 !authenticated = *
185 !domains = +known
186
187 ## Ensure that the recipient is routable.
188 require message = Invalid recipient \
189 ($recipient_verify_failure; $acl_verify_message)
190 verify = recipient
191
192 SECTION(acl, rcpt-tail)m4_dnl
193 ## Everything checks out OK: let this one go through.
194 accept
195
196 SECTION(global, acl)m4_dnl
197 acl_smtp_data = data
198 SECTION(acl, data)m4_dnl
199 data:
200
201 SECTION(acl, data-tail)m4_dnl
202 accept
203
204 SECTION(global, acl)m4_dnl
205 acl_smtp_expn = expn_vrfy
206 acl_smtp_vrfy = expn_vrfy
207 SECTION(acl)m4_dnl
208 expn_vrfy:
209 accept hosts = +trusted
210 deny message = Suck it and see
211
212 DIVERT(null)
213 ###--------------------------------------------------------------------------
214 ### Common options for forwarding routers.
215
216 ## We're pretty permissive here.
217 m4_define(<:FILTER_BASE:>,
218 <:driver = redirect
219 modemask = 002
220 check_owner = false
221 check_group = false
222 allow_filter = true
223 allow_defer = true
224 allow_fail = true
225 forbid_blackhole = false
226 check_ancestor = true:>)
227
228 ## Common options for forwarding routers at verification time.
229 m4_define(<:FILTER_VERIFY:>,
230 <:verify_only = true
231 user = CONF_filter_user
232 forbid_filter_dlfunc = true
233 forbid_filter_logwrite = true
234 forbid_filter_perl = true
235 forbid_filter_readsocket = true
236 forbid_filter_run = true
237 file_transport = dummy
238 directory_transport = dummy
239 pipe_transport = dummy
240 reply_transport = dummy:>)
241
242 ## Transports for redirection filters.
243 m4_define(<:FILTER_TRANSPORTS:>,
244 <:file_transport = mailbox
245 directory_transport = maildir
246 pipe_transport = pipe
247 reply_transport = reply:>)
248
249 DIVERT(null)
250 ###--------------------------------------------------------------------------
251 ### Some standard transports.
252
253 m4_define(<:USER_DELIVERY:>,
254 <:delivery_date_add = true
255 envelope_to_add = true
256 return_path_add = true:>)
257
258 SECTION(transports)m4_dnl
259 ## A standard transport for remote delivery. Try to do TLS, and don't worry
260 ## too much if it's not very secure: the alternative is sending in plaintext
261 ## anyway.
262 smtp:
263 driver = smtp
264 tls_require_ciphers = CONF_acceptable_ciphers
265 tls_dh_min_bits = 1020
266 tls_tempfail_tryclear = true
267
268 ## Transport to a local SMTP server; use TLS and perform client
269 ## authentication.
270 smtp_local:
271 driver = smtp
272 hosts_require_tls = *
273 tls_certificate = CONF_sysconf_dir/client.cert
274 tls_privatekey = CONF_sysconf_dir/client.key
275 tls_verify_certificates = CONF_ca_dir/ca.cert
276 tls_require_ciphers = CONF_good_ciphers
277 tls_dh_min_bits = 2046
278 tls_tempfail_tryclear = false
279 authenticated_sender = ${if def:authenticated_id \
280 {$authenticated_id@CONF_master_domain} \
281 fail}
282
283 ## A standard transport for local delivery.
284 deliver:
285 driver = appendfile
286 file = /var/mail/$local_part
287 group = mail
288 mode = 0600
289 mode_fail_narrower = false
290 USER_DELIVERY
291
292 ## Transports for user filters.
293 mailbox:
294 driver = appendfile
295 initgroups = true
296 USER_DELIVERY
297
298 maildir:
299 driver = appendfile
300 maildir_format = true
301 initgroups = true
302 USER_DELIVERY
303
304 pipe:
305 driver = pipe
306 path = ${if and {{def:home} {exists{$home/bin}}} {$home/bin:} {}}\
307 /usr/local/bin:/usr/local/sbin:\
308 /usr/bin:/usr/sbin:/bin:/sbin
309 initgroups = true
310 umask = 002
311 return_fail_output = true
312 log_output = true
313
314 ## A special dummy transport for use during address verification.
315 dummy:
316 driver = appendfile
317 file = /dev/null
318
319 DIVERT(null)
320 ###--------------------------------------------------------------------------
321 ### Retry configuration.
322
323 SECTION(retry, default)m4_dnl
324 ## Default.
325 * * \
326 F,2h,15m; G,16h,2h,1.5; F,4d,6h
327
328 DIVERT(null)
329 ###----- That's all, folks --------------------------------------------------
The distorted.org.uk Exim configuration.